Privacy impact assessments should be mandatory and must engage stakeholders in the process, says a consortium in its final report to the European Commission after a multi-country research project. With biometric organizations, such as the Biometrics Institute also promoting privacy charters, this will make interesting reading for companies and suppliers implementing biometric systems.

The 22-month PIAF project was co-funded by the European Union under its Fundamental Rights and Citizenship Programme and undertaken by a consortium comprising the Vrije Universiteit Brussel (VUB), Trilateral Research & Consulting and Privacy International. PIAF is the acronym for Privacy Impact Assessment Framework for data protection and privacy rights.

The consortium defines a privacy impact assessment (PIA) as “a process for assessing the impacts on privacy of a project, policy, programme, service, product or other initiative and, in consultation with stakeholders, for taking remedial actions as necessary in order to avoid or minimise the negative impacts”.

Although privacy impact assessment has a history going back to the mid to early 1990s in countries such as Australia, Canada, New Zealand and the US, it is a relatively new concept in Europe. The UK Information Commissioner’s Office produced the first PIA Handbook in Europe in 2007. Most recently, the European Commission made a provision for PIA (or data protection impact assessment, as it calls it) in Article 33 of the proposed Data Protection Regulation which it released officially in January 2012.

The PIAF consortium addresses recommendations to policy-makers as well as those undertaking PIAs. Among its key recommendations are these:

The obligation to carry out a PIA when there is a likelihood of risk to the protection of privacy and personal data should have a firm legal basis. However, the legal obligation should not preclude other incentives for carrying out a PIA being identified and communicated to organisations, in particular, the benefits of PIA.

A PIA should be carried out for projects sponsored by more than one organisation as well as for projects with a trans-border dimension, at least if they have significant privacy implications.

A PIA should be regarded and carried out as a process and not only as a single task aimed at completing a report. A PIA process starts early and continues throughout the life cycle of the project.

A PIA policy should allow organisations to carry out a PIA appropriate to their own circumstances. The policy should allow scalability of the PIA process.

A PIA should address all types of privacy and not only the protection of personal data.

A PIA process should enjoy at least a minimum level of transparency. Both the assessor and stakeholders must have all relevant information to assess the privacy and data protection implications of a proposed project. Organisations should generally make PIAs publicly available, e.g., publish them on their websites. However, for PIAs genuinely involving national security or commercially sensitive information, the organisation could publish a summary or a redacted PIA.

Organisations undertaking a PIA should identify and inform stakeholders, as representative as possible, including the public, if applicable, about the PIA process. Organisations should seek stakeholders’ views and take them into consideration. A PIA policy should provide explicit mechanisms for stakeholder consultation.

Risk management and checking legal compliance are core elements of PIA. To that end, effective procedures for risk management should be identified and/or developed. Residual risks should be justified.

An organisation should be able to demonstrate that a PIA has been carried out adequately. A PIA process should be subjected to external review and/or audit. Independent third party review and/or audits are critical to ensure that a PIA was properly carried out and its recommendations implemented. Audits and reviews are a function of the principle of accountability and lead to improvements in PIA practice.

For more information, see the PIAF final deliverable (D3) on the project’s website at www.piafproject.eu .